DPDP Compliance

• As Data Fiduciary: We determine the purpose and means of processing personal data collected through our website and services
• As Data Processor: We process personal data on behalf of enterprise clients who use our WhatsApp API solutions, following their instructions and our data processing agreements
• Significant Data Fiduciary: We maintain enhanced compliance measures as we process substantial volumes of personal data through our platform

• Consent: Obtained freely, specifically, informed, and unconditional for specific processing purposes
• Contractual Necessity: Processing necessary for performance of a contract with the data principal
• Legal Obligation: Processing required to comply with applicable laws and regulations
• Legitimate Purpose: Processing for purposes that are reasonably expected by the data principal

• Right to access information about their personal data and processing activities
• Right to correction and erasure of inaccurate or incomplete personal data
• Right to data portability in a machine-readable format
• Right to withdraw consent at any time
• Right to be informed about processing activities and purposes
• Right to lodge complaints with the Data Protection Board of India

5.1 Types of Data Collected

We collect only personal data that is necessary for specified, explicit, and legitimate purposes: contact information, business details, usage data, and communication records.

5.2 Purpose Limitation

Personal data is processed only for the purposes for which it was collected. We do not process data in a manner incompatible with those purposes without obtaining additional consent.

5.3 Data Minimization

We collect only the minimum personal data necessary to fulfill the specified purposes. We do not collect or retain excessive data beyond what is required.

• Consent is obtained through a clear and affirmative action
• Consent requests are presented separately from other matters
• Clear and plain language is used to explain the purpose of processing
• Data Principals can easily withdraw consent through simple mechanisms
• Detailed consent records are maintained for accountability

• Encryption: All personal data is encrypted in transit (TLS 1.3) and at rest (AES-256)
• Access Controls: Role-based access controls with multi-factor authentication for all systems
• Security Audits: Regular security assessments, penetration testing, and vulnerability scans
• Incident Response: Documented incident response procedures with notification protocols
• Employee Training: Regular data protection and security awareness training for all personnel

• Assess the severity and scope of the breach within 48 hours
• Notify the Data Protection Board of India within 72 hours of becoming aware of a notifiable breach
• Inform affected Data Principals without undue delay if the breach is likely to result in adverse effects
• Document all breaches and remedial actions taken
• Implement measures to prevent similar breaches in the future

• Active Account Data: Retained while the account is active and for a defined period thereafter for legitimate business purposes
• Legal Retention: Data required for legal compliance may be retained for the period mandated by applicable laws
• Deletion Requests: Upon request from a Data Principal or upon account deletion, we securely delete or anonymize personal data within 30 days

• Maintaining primary data storage within India
• Only transferring data to countries not restricted by the Central Government
• Implementing standard contractual clauses for any international transfers
• Ensuring adequate protection measures are in place for transferred data
• Informing Data Principals about international transfers in our privacy notices

• DPO Contact: Data Protection Officer can be reached at dpo@whats91.com
• Response Time: We acknowledge grievances within 48 hours and respond substantively within 30 days
• Escalation: If unsatisfied with our response, Data Principals can approach the Data Protection Board of India